IT policies and procedures your business needs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.grbj.com/blogs/13-law/post/82465-it-policies-and-procedures-your-business-needs

Businesses may think that they only need to adopt information technology
policies and procedures where they are required to do so by law. However,
it is a far better practice to proactively adopt IT policies and procedures
to protect your business, even where you are not required to do so.

Policies and procedures work together and both are important. Policies
define organizational goals, specify directives regarding certain issues
and provide a mechanism for how decisions are made. Procedures provide
direction to staff regarding the steps to be taken in order to complete a
task consistent with company policy and encourage consistent staff behavior.

Security, privacy and intellectual property protection are some of the
primary issues affecting information technology, but businesses should
proactively identify and address a wide variety of issues in their policies
and procedures. There is no one-size-fits-all approach to what policies and
procedures should be used or what they should say, because every business
has different needs, practices and functions. However, some of the issues
that should be addressed include the following.

Security. The goal of a security policy is to enable a business to
identify, manage and hopefully reduce security risks. Ideally, a security
policy will help a business’ staff determine what specific security
practices and technology solutions are necessary and appropriate for that
business. Businesses should be mindful of legal requirements or other
relevant security standards that should be incorporated into security
policies and procedures.

Privacy. Every business should identify third-party data that it collects
and assess how the data is used, stored and disclosed. After it has done
so, it can establish a policy regarding treatment of confidential and
sensitive information and procedures regarding how such information should
be handled. Businesses in highly regulated industries (such as health care,
finance and education) and in certain states and countries (for example,
California and the European Union) are subject to specific limitations
regarding the collection and use of third-party confidential information
and so care should be taken to ensure compliance with all applicable legal
requirements.

Contracting and procurement. Businesses should establish a procurement
process, so that they are aware of and comply with all contractual
obligations. Also, a specified department or individual should have
authority to negotiate and execute contracts, including online terms of
service, and someone should be tasked with keeping track of executed
contracts and the timing of automatic term renewals.

Acceptable use of technology. One way to limit liability related to
employees’ use of technology is to communicate to those employees what the
business considers to be appropriate and acceptable use. An acceptable-use
policy could include guidance regarding the use of email, Internet, social
media, employee-owned devices, among other issues. A ban or prohibition on
all personal use of technology is not only impractical, but could backfire,
and an acceptable-use policy that stresses use of good-old common sense is
often a better approach.

Records retention and destruction. Although electronic and digital storage
makes it possible to retain a vast amount of documents and data, it may be
more prudent to destroy records after a period of time. Every business
should assess applicable legal requirements and practical considerations
and evaluate how long records must be kept and then how long records should
be kept.

Disaster recovery. No matter how strong a business’ security practices
might be, it is likely that the business will eventually become victim to a
data breach. Businesses are also vulnerable to outages and losses resulting
from disasters. Each business should plan how it will react to problems
such as outages and breaches. Applicable law and regulatory requirements
relating to data breach notification should be identified and a response
protocol to be used in the event of a breach should be established.

Intellectual property. Businesses should carefully protect their
intellectual property assets in both policy and procedure. One essential
practice is to deliberately protect trade secrets, copyrights and patent
rights through agreements with employees and third parties. Businesses
should also consider how they will evaluate the selection, registration and
enforcement of their trademarks and service marks.

Although it is important to carefully consider and implement appropriate
policies, it is even more important that every business communicate the
policies to affected individuals and confirm that the policies are
followed. Performance should be monitored and reviewed regularly, and
policies should then be updated as needed. By using clear policies and
procedures in this way, a business can manage risks associated with the use
of IT.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!